Re: NTLM and OpenLDAP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Marc,
the NTLM plugin in cyrus-sasl is an old broken custom implementation of
NTLM. It used a dirty hack to try to replay the NTLM authentication
against an SMB server (using old skeleton SMB 1 implementation which
uses a SMB dialect now disabled on most servers) as a way to support
authenticating against a separate server. This kind of authentication
hijack will not work with any modern setup.

We should really drop this hack, and replace the plugin by using
something like gssntlmssp with libgssapi (either as part of the GSSAPI
plugin, or as a new plugin that is NTLM specific).

Gssntlmssp can properly interface to winbind and do correct NTLM
authentication against a DC if the ldap server is joined to the domain.

However nobody has proposed this change, and I never found the time to
do it myself.

HTH,
Simo.

On Wed, 2022-03-02 at 10:56 -0500, mboorshtein@xxxxxxxxx wrote:
> Hello,
> 
> I'm working with a very legacy deployment that needs to use NTLM.  I'm trying to validate some assumptions (or find out they're not correct).  What i need to be able to do is have a client use SASL with NTLM to my OpenLDAP server, which will authenticate the user against they're domain controller, and then use openldap's ldap backend to talk to another directory using a service account identity.  I have the last part working (searching a remote LDAP with a service account), but authentication fails.  Here's my slapd configuration:
> 
> authz-regexp
>   uid=([^,]*),cn=ntlm,cn=auth
>   ldap:///DC=domain1,DC=domain2,DC=com??sub?(samAccountName=$1)
> 
> 
> # ldbm and/or bdb database definitions
> 
> database ldap
> suffix "DC=domain1,DC=domain2,DC=com"
> uri    ldap://192.168.2.190:10983/
> acl-bind bindmethod=simple binddn=cn=ou_svc_account,ou=Users,DC=domain1,DC=domain2,DC=com credentials=start123
> 
> When the NTLM request comes in, it finds the right entry, but then fails:
> 
> 621f91e2.1376779f 0x7fd803655700 slap_listener_activate(7):
> 621f91e2.13774701 0x7fd802e54700 >>> slap_listener(ldap://*:50983)
> 621f91e2.1385a26d 0x7fd802e54700 connection_get(9): got connid=1001
> 621f91e2.1385cda1 0x7fd802e54700 connection_read(9): checking for input on id=1001
> 621f91e2.1385df4a 0x7fd802e54700 ber_get_next
> 621f91e2.13860c8d 0x7fd802e54700 ber_get_next: tag 0x30 len 52 contents:
> 621f91e2.138620c2 0x7fd802e54700 op tag 0x60, time 1646236130
> 621f91e2.138632b9 0x7fd802e54700 ber_get_next
> 621f91e2.13866174 0x7fd802e54700 conn=1001 op=0 do_bind
> 621f91e2.138670ed 0x7fd802e54700 ber_scanf fmt ({imt) ber:
> 621f91e2.13867d98 0x7fd802e54700 ber_scanf fmt ({m) ber:
> 621f91e2.13868c6f 0x7fd802e54700 ber_scanf fmt (m) ber:
> 621f91e2.1386968d 0x7fd802e54700 ber_scanf fmt (}}) ber:
> 621f91e2.1386a636 0x7fd802e54700 >>> dnPrettyNormal: <>
> 621f91e2.1386b2b0 0x7fd802e54700 <<< dnPrettyNormal: <>, <>
> 621f91e2.13870126 0x7fd802e54700 do_bind: dn () SASL mech NTLM
> 621f91e2.1387c451 0x7fd802e54700 send_ldap_sasl: err=14 len=102
> 621f91e2.1387d973 0x7fd802e54700 send_ldap_response: msgid=1 tag=97 err=14
> 621f91e2.1387f1e7 0x7fd802e54700 ber_flush2: 148 bytes to sd 9
> 621f91e2.138a0ecd 0x7fd802e54700 <== slap_sasl_bind: rc=14
> 621f91e8.29882eb9 0x7fd802e54700 connection_get(9): got connid=1001
> 621f91e8.29888530 0x7fd802e54700 connection_read(9): checking for input on id=1001
> 621f91e8.298896a6 0x7fd802e54700 ber_get_next
> 621f91e8.2988d46f 0x7fd802e54700 ber_get_next: tag 0x30 len 193 contents:
> 621f91e8.2988e8ef 0x7fd802e54700 op tag 0x60, time 1646236136
> 621f91e8.2988fdc7 0x7fd802e54700 ber_get_next
> 621f91e8.2989357e 0x7fd802e54700 conn=1001 op=1 do_bind
> 621f91e8.29894452 0x7fd802e54700 ber_scanf fmt ({imt) ber:
> 621f91e8.298950ea 0x7fd802e54700 ber_scanf fmt ({m) ber:
> 621f91e8.29895be9 0x7fd802e54700 ber_scanf fmt (m) ber:
> 621f91e8.29896533 0x7fd802e54700 ber_scanf fmt (}}) ber:
> 621f91e8.298971be 0x7fd802e54700 >>> dnPrettyNormal: <>
> 621f91e8.29897eaf 0x7fd802e54700 <<< dnPrettyNormal: <>, <>
> 621f91e8.298a0cdf 0x7fd802e54700 do_bind: dn () SASL mech NTLM
> 621f91e8.298b0c1a 0x7fd802e54700 slap_sasl_getdn: u:id converted to uid=ou_svc_account,cn=NTLM,cn=auth
> 621f91e8.298b55a5 0x7fd802e54700 >>> dnNormalize: <uid=ou_svc_account,cn=NTLM,cn=auth>
> 621f91e8.298b85e6 0x7fd802e54700 <<< dnNormalize: <uid=ou_svc_account,cn=ntlm,cn=auth>
> 621f91e8.298b90f6 0x7fd802e54700 ==>slap_sasl2dn: converting SASL name uid=ou_svc_account,cn=ntlm,cn=auth to a DN
> 621f91e8.298ba4f7 0x7fd802e54700 ==> rewrite_context_apply [depth=1] string='uid=ou_svc_account,cn=ntlm,cn=auth'
> 621f91e8.298bb2ea 0x7fd802e54700 ==> rewrite_rule_apply rule='uid=([^,]*),cn=ntlm,cn=auth' string='uid=ou_svc_account,cn=ntlm,cn=auth' [1 pass(es)]
> 621f91e8.298c0d30 0x7fd802e54700 ==> rewrite_context_apply [depth=1] res={0,'ldap:///DC=domain1,DC=domain2,DC=com??sub?(samAccountName=ou_svc_account)'}
> 621f91e8.298c1d4f 0x7fd802e54700 slap_parseURI: parsing ldap:///DC=domain1,DC=domain2,DC=com??sub?(samAccountName=ou_svc_account)
> 621f91e8.298c30f8 0x7fd802e54700 ldap_url_parse_ext(ldap:///DC=domain1,DC=domain2,DC=com??sub?(samAccountName=ou_svc_account))
> 621f91e8.298c4a46 0x7fd802e54700 put_filter: "(samAccountName=ou_svc_account)"
> 621f91e8.298c5a64 0x7fd802e54700 put_filter: simple
> 621f91e8.298c96a7 0x7fd802e54700 put_simple_filter: "samAccountName=ou_svc_account"
> 621f91e8.298cc7af 0x7fd802e54700 ber_scanf fmt ({mm}) ber:
> 621f91e8.298d0025 0x7fd802e54700 >>> dnNormalize: <DC=domain1,DC=domain2,DC=com>
> 621f91e8.298d279b 0x7fd802e54700 <<< dnNormalize: <dc=domain1,dc=domain2,dc=com>
> 621f91e8.298d4109 0x7fd802e54700 slap_sasl2dn: performing internal search (base=dc=domain1,dc=domain2,dc=com, scope=2)
> 621f91e8.298d61dd 0x7fd802e54700 =>ldap_back_getconn: conn 0x7fd7f4110050 fetched refcnt=1.
> 621f91e8.298d7a72 0x7fd802e54700 ldap_search_ext
> 621f91e8.298da1d9 0x7fd802e54700 put_filter: "(samAccountName=ou_svc_account)"
> 621f91e8.298dbb11 0x7fd802e54700 put_filter: simple
> 621f91e8.298dcaa0 0x7fd802e54700 put_simple_filter: "samAccountName=ou_svc_account"
> 621f91e8.298de36a 0x7fd802e54700 ldap_send_initial_request
> 621f91e8.298df4cc 0x7fd802e54700 ldap_send_server_request
> 621f91e8.298e08d2 0x7fd802e54700 ber_scanf fmt ({it) ber:
> 621f91e8.298e1854 0x7fd802e54700 ber_scanf fmt ({) ber:
> 621f91e8.298e2b05 0x7fd802e54700 ber_flush2: 89 bytes to sd 10
> 621f91e8.29a4267d 0x7fd802e54700 ldap_result ld 0x7fd7f41100e0 msgid 4
> 621f91e8.29a47391 0x7fd802e54700 wait4msg ld 0x7fd7f41100e0 msgid 4 (timeout 100000 usec)
> 621f91e8.29a48a0f 0x7fd802e54700 wait4msg continue ld 0x7fd7f41100e0 msgid 4 all 0
> 621f91e8.29a49c6f 0x7fd802e54700 ** ld 0x7fd7f41100e0 Connections:
> 621f91e8.29a4cb98 0x7fd802e54700 * host: 192.168.2.190  port: 10983  (default)
> 621f91e8.29a4f372 0x7fd802e54700 * from: IP=192.168.2.110:36190
> 621f91e8.29a504f5 0x7fd802e54700   refcnt: 2  status: Connected
> 621f91e8.29a523e3 0x7fd802e54700   last used: Wed Mar  2 10:48:56 2022
> 
> 621f91e8.29a5349a 0x7fd802e54700
> 621f91e8.29a547a0 0x7fd802e54700 ** ld 0x7fd7f41100e0 Outstanding Requests:
> 621f91e8.29a55ac4 0x7fd802e54700  * msgid 4,  origid 4, status InProgress
> 621f91e8.29a56b69 0x7fd802e54700    outstanding referrals 0, parent count 0
> 621f91e8.29a57c9f 0x7fd802e54700   ld 0x7fd7f41100e0 request count 1 (abandoned 0)
> 621f91e8.29a58c8a 0x7fd802e54700 ** ld 0x7fd7f41100e0 Response Queue:
> 621f91e8.29a59c17 0x7fd802e54700    Empty
> 621f91e8.29a5abed 0x7fd802e54700   ld 0x7fd7f41100e0 response count 0
> 621f91e8.29a5bc6d 0x7fd802e54700 ldap_chkResponseList ld 0x7fd7f41100e0 msgid 4 all 0
> 621f91e8.29a5cd11 0x7fd802e54700 ldap_chkResponseList returns ld 0x7fd7f41100e0 NULL
> 621f91e8.29a5e252 0x7fd802e54700 ldap_int_select
> 621f91e8.29e6fc71 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 4 all 0
> 621f91e8.29e73e82 0x7fd802e54700 ber_get_next
> 621f91e8.29e76970 0x7fd802e54700 ber_get_next: tag 0x30 len 60 contents:
> 621f91e8.29e77e5c 0x7fd802e54700 ldap_find_request_by_msgid: msgid 4, lr 0x7fd7f4103610 lr->lr_refcnt = 1
> 621f91e8.29e78bc6 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 4 message type search-entry
> 621f91e8.29e79982 0x7fd802e54700 ldap_return_request: lrx 0x7fd7f4103610, lr 0x7fd7f4103610
> 621f91e8.29e7a5da 0x7fd802e54700 ldap_return_request: lrx->lr_msgid 4, lrx->lr_refcnt is now 0, lr is still present
> 621f91e8.29e7b93b 0x7fd802e54700 ber_scanf fmt ({m) ber:
> 621f91e8.29e7c89b 0x7fd802e54700 >>> dnPrettyNormal: <cn=ou_svc_account,ou=Users,DC=domain1,DC=domain2,DC=com>
> 621f91e8.29e81713 0x7fd802e54700 <<< dnPrettyNormal: <cn=ou_svc_account,ou=Users,dc=domain1,dc=domain2,dc=com>, <cn=ou_svc_account,ou=users,dc=domain1,dc=domain2,dc=com>
> 621f91e8.29e82585 0x7fd802e54700 ber_scanf fmt ({xx) ber:
> 621f91e8.29e84539 0x7fd802e54700 ldap_msgfree
> 621f91e8.29e8528b 0x7fd802e54700 ldap_result ld 0x7fd7f41100e0 msgid 4
> 621f91e8.29e85e7a 0x7fd802e54700 wait4msg ld 0x7fd7f41100e0 msgid 4 (timeout 100000 usec)
> 621f91e8.29e86a24 0x7fd802e54700 wait4msg continue ld 0x7fd7f41100e0 msgid 4 all 0
> 621f91e8.29e876aa 0x7fd802e54700 ** ld 0x7fd7f41100e0 Connections:
> 621f91e8.29e883f2 0x7fd802e54700 * host: 192.168.2.190  port: 10983  (default)
> 621f91e8.29e89a93 0x7fd802e54700 * from: IP=192.168.2.110:36190
> 621f91e8.29e8a5f0 0x7fd802e54700   refcnt: 2  status: Connected
> 621f91e8.29e8beaa 0x7fd802e54700   last used: Wed Mar  2 10:48:56 2022
> 
> 621f91e8.29e8ca4f 0x7fd802e54700
> 621f91e8.29e8d489 0x7fd802e54700 ** ld 0x7fd7f41100e0 Outstanding Requests:
> 621f91e8.29e8e1d8 0x7fd802e54700  * msgid 4,  origid 4, status InProgress
> 621f91e8.29e8ed1f 0x7fd802e54700    outstanding referrals 0, parent count 0
> 621f91e8.29e8fe8c 0x7fd802e54700   ld 0x7fd7f41100e0 request count 1 (abandoned 0)
> 621f91e8.29e90e8e 0x7fd802e54700 ** ld 0x7fd7f41100e0 Response Queue:
> 621f91e8.29e91d76 0x7fd802e54700    Empty
> 621f91e8.29e92d2b 0x7fd802e54700   ld 0x7fd7f41100e0 response count 0
> 621f91e8.29e93ab4 0x7fd802e54700 ldap_chkResponseList ld 0x7fd7f41100e0 msgid 4 all 0
> 621f91e8.29e944ed 0x7fd802e54700 ldap_chkResponseList returns ld 0x7fd7f41100e0 NULL
> 621f91e8.29e95274 0x7fd802e54700 ldap_int_select
> 621f91e8.29f173c4 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 4 all 0
> 621f91e8.29f19e87 0x7fd802e54700 ber_get_next
> 621f91e8.29f635f0 0x7fd802e54700 ber_get_next: tag 0x30 len 12 contents:
> 621f91e8.29f65c13 0x7fd802e54700 ldap_find_request_by_msgid: msgid 4, lr 0x7fd7f4103610 lr->lr_refcnt = 1
> 621f91e8.29f669d9 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 4 message type search-result
> 621f91e8.29f6756a 0x7fd802e54700 ber_scanf fmt ({eAA) ber:
> 621f91e8.29f683b8 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 0 new referrals
> 621f91e8.29f68f2e 0x7fd802e54700 read1msg:  mark request completed, ld 0x7fd7f41100e0 msgid 4
> 621f91e8.29f69b7d 0x7fd802e54700 request done: ld 0x7fd7f41100e0 msgid 4
> 621f91e8.29f6a6b2 0x7fd802e54700 res_errno: 0, res_error: <>, res_matched: <>
> 621f91e8.29f6b13d 0x7fd802e54700 ldap_return_request: lrx 0x7fd7f4103610, lr 0x7fd7f4103610
> 621f91e8.29f6bc87 0x7fd802e54700 ldap_return_request: lrx->lr_msgid 4, lrx->lr_refcnt is now 0, lr is still present
> 621f91e8.29f6c7ef 0x7fd802e54700 ldap_free_request (origid 4, msgid 4)
> 621f91e8.29f6d625 0x7fd802e54700 ldap_free_request_int: lr 0x7fd7f4103610 msgid 4 removed
> 621f91e8.29f6e1e1 0x7fd802e54700 ldap_do_free_request: asked to free lr 0x7fd7f4103610 msgid 4 refcnt 0
> 621f91e8.29f6f589 0x7fd802e54700 ldap_parse_result
> 621f91e8.29f7017a 0x7fd802e54700 ber_scanf fmt ({iAA) ber:
> 621f91e8.29f70d44 0x7fd802e54700 ber_scanf fmt (}) ber:
> 621f91e8.29f718e5 0x7fd802e54700 ldap_msgfree
> 621f91e8.29f728a8 0x7fd802e54700 send_ldap_result: conn=1001 op=1 p=3
> 621f91e8.29f7408a 0x7fd802e54700 <==slap_sasl2dn: Converted SASL name to cn=ou_svc_account,ou=users,dc=domain1,dc=domain2,dc=com
> 621f91e8.29f74e4a 0x7fd802e54700 slap_sasl_getdn: dn:id converted to cn=ou_svc_account,ou=users,dc=domain1,dc=domain2,dc=com
> 621f91e8.29f78990 0x7fd802e54700 =>ldap_back_getconn: conn 0x7fd7f4110050 fetched refcnt=1.
> 621f91e8.29f79a7a 0x7fd802e54700 ldap_search_ext
> 621f91e8.29f7b4d5 0x7fd802e54700 put_filter: "(objectclass=*)"
> 621f91e8.29f7c023 0x7fd802e54700 put_filter: simple
> 621f91e8.29f7ca43 0x7fd802e54700 put_simple_filter: "objectclass=*"
> 621f91e8.29f7da8e 0x7fd802e54700 ldap_send_initial_request
> 621f91e8.29f7e539 0x7fd802e54700 ldap_send_server_request
> 621f91e8.29f7f223 0x7fd802e54700 ber_scanf fmt ({it) ber:
> 621f91e8.29f7fcac 0x7fd802e54700 ber_scanf fmt ({) ber:
> 621f91e8.29f808ee 0x7fd802e54700 ber_flush2: 90 bytes to sd 10
> 621f91e8.29fcac04 0x7fd802e54700 ldap_result ld 0x7fd7f41100e0 msgid 5
> 621f91e8.29fcff6a 0x7fd802e54700 wait4msg ld 0x7fd7f41100e0 msgid 5 (timeout 100000 usec)
> 621f91e8.29fd1367 0x7fd802e54700 wait4msg continue ld 0x7fd7f41100e0 msgid 5 all 0
> 621f91e8.29fd250b 0x7fd802e54700 ** ld 0x7fd7f41100e0 Connections:
> 621f91e8.29fd3765 0x7fd802e54700 * host: 192.168.2.190  port: 10983  (default)
> 621f91e8.29fd594b 0x7fd802e54700 * from: IP=192.168.2.110:36190
> 621f91e8.29fd6950 0x7fd802e54700   refcnt: 2  status: Connected
> 621f91e8.29fd8874 0x7fd802e54700   last used: Wed Mar  2 10:48:56 2022
> 
> 621f91e8.29fd9a2e 0x7fd802e54700
> 621f91e8.29fda9a8 0x7fd802e54700 ** ld 0x7fd7f41100e0 Outstanding Requests:
> 621f91e8.29fdb5b3 0x7fd802e54700  * msgid 5,  origid 5, status InProgress
> 621f91e8.29fdc02f 0x7fd802e54700    outstanding referrals 0, parent count 0
> 621f91e8.29fdcb72 0x7fd802e54700   ld 0x7fd7f41100e0 request count 1 (abandoned 0)
> 621f91e8.29fdd5d5 0x7fd802e54700 ** ld 0x7fd7f41100e0 Response Queue:
> 621f91e8.29fddfff 0x7fd802e54700    Empty
> 621f91e8.29fdea2a 0x7fd802e54700   ld 0x7fd7f41100e0 response count 0
> 621f91e8.29fdf4f4 0x7fd802e54700 ldap_chkResponseList ld 0x7fd7f41100e0 msgid 5 all 0
> 621f91e8.29fdff05 0x7fd802e54700 ldap_chkResponseList returns ld 0x7fd7f41100e0 NULL
> 621f91e8.29fe0b3a 0x7fd802e54700 ldap_int_select
> 621f91e8.2a431353 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 5 all 0
> 621f91e8.2a43566c 0x7fd802e54700 ber_get_next
> 621f91e8.2a4387d3 0x7fd802e54700 ber_get_next: tag 0x30 len 356 contents:
> 621f91e8.2a43bd94 0x7fd802e54700 ldap_find_request_by_msgid: msgid 5, lr 0x7fd7f4118dd0 lr->lr_refcnt = 1
> 621f91e8.2a43d9dd 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 5 message type search-entry
> 621f91e8.2a43ec66 0x7fd802e54700 ldap_return_request: lrx 0x7fd7f4118dd0, lr 0x7fd7f4118dd0
> 621f91e8.2a43fef2 0x7fd802e54700 ldap_return_request: lrx->lr_msgid 5, lrx->lr_refcnt is now 0, lr is still present
> 621f91e8.2a44181d 0x7fd802e54700 ber_scanf fmt ({m) ber:
> 621f91e8.2a4429d4 0x7fd802e54700 >>> dnPrettyNormal: <cn=ou_svc_account,ou=users,DC=domain1,DC=domain2,DC=com>
> 621f91e8.2a4483b0 0x7fd802e54700 <<< dnPrettyNormal: <cn=ou_svc_account,ou=users,dc=domain1,dc=domain2,dc=com>, <cn=ou_svc_account,ou=users,dc=domain1,dc=domain2,dc=com>
> 621f91e8.2a4497bc 0x7fd802e54700 ber_scanf fmt ({m) ber:
> 621f91e8.2a44b575 0x7fd802e54700 ber_scanf fmt ([W]) ber:
> 621f91e8.2a44ceeb 0x7fd802e54700 ber_scanf fmt ({m) ber:
> 621f91e8.2a44efb7 0x7fd802e54700 ber_scanf fmt ([W]) ber:
> 621f91e8.2a4505e9 0x7fd802e54700 ber_scanf fmt ({m) ber:
> 621f91e8.2a4519ab 0x7fd802e54700 ber_scanf fmt ([W]) ber:
> 621f91e8.2a452f01 0x7fd802e54700 ber_scanf fmt ({m) ber:
> 621f91e8.2a453e63 0x7fd802e54700 ber_scanf fmt ([W]) ber:
> 621f91e8.2a454f85 0x7fd802e54700 ber_scanf fmt ({m) ber:
> 621f91e8.2a456f7f 0x7fd802e54700 ber_scanf fmt ([W]) ber:
> 621f91e8.2a457fb1 0x7fd802e54700 ber_scanf fmt ({m) ber:
> 621f91e8.2a4592f8 0x7fd802e54700 ber_scanf fmt ([W]) ber:
> 621f91e8.2a45bd6c 0x7fd802e54700 ber_scanf fmt ({m) ber:
> 621f91e8.2a45db2e 0x7fd802e54700 ber_scanf fmt ([W]) ber:
> 621f91e8.2a45ed71 0x7fd802e54700 ber_scanf fmt ({m) ber:
> 621f91e8.2a4600fb 0x7fd802e54700 ber_scanf fmt ([W]) ber:
> 621f91e8.2a4612ec 0x7fd802e54700 ber_scanf fmt ({xx) ber:
> 621f91e8.2a464168 0x7fd802e54700 ldap_msgfree
> 621f91e8.2a464f72 0x7fd802e54700 ldap_result ld 0x7fd7f41100e0 msgid 5
> 621f91e8.2a465d72 0x7fd802e54700 wait4msg ld 0x7fd7f41100e0 msgid 5 (timeout 100000 usec)
> 621f91e8.2a4669c0 0x7fd802e54700 wait4msg continue ld 0x7fd7f41100e0 msgid 5 all 0
> 621f91e8.2a46760b 0x7fd802e54700 ** ld 0x7fd7f41100e0 Connections:
> 621f91e8.2a46820c 0x7fd802e54700 * host: 192.168.2.190  port: 10983  (default)
> 621f91e8.2a469afc 0x7fd802e54700 * from: IP=192.168.2.110:36190
> 621f91e8.2a46a647 0x7fd802e54700   refcnt: 2  status: Connected
> 621f91e8.2a46c0c2 0x7fd802e54700   last used: Wed Mar  2 10:48:56 2022
> 
> 621f91e8.2a46cd37 0x7fd802e54700
> 621f91e8.2a46d7d1 0x7fd802e54700 ** ld 0x7fd7f41100e0 Outstanding Requests:
> 621f91e8.2a46e376 0x7fd802e54700  * msgid 5,  origid 5, status InProgress
> 621f91e8.2a46ee6f 0x7fd802e54700    outstanding referrals 0, parent count 0
> 621f91e8.2a46f9f1 0x7fd802e54700   ld 0x7fd7f41100e0 request count 1 (abandoned 0)
> 621f91e8.2a470434 0x7fd802e54700 ** ld 0x7fd7f41100e0 Response Queue:
> 621f91e8.2a470d9c 0x7fd802e54700    Empty
> 621f91e8.2a471898 0x7fd802e54700   ld 0x7fd7f41100e0 response count 0
> 621f91e8.2a4723a2 0x7fd802e54700 ldap_chkResponseList ld 0x7fd7f41100e0 msgid 5 all 0
> 621f91e8.2a472dfb 0x7fd802e54700 ldap_chkResponseList returns ld 0x7fd7f41100e0 NULL
> 621f91e8.2a47396e 0x7fd802e54700 ldap_int_select
> 621f91e8.2a474fed 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 5 all 0
> 621f91e8.2a475d10 0x7fd802e54700 ber_get_next
> 621f91e8.2a492ac1 0x7fd802e54700 ber_get_next: tag 0x30 len 12 contents:
> 621f91e8.2a494779 0x7fd802e54700 ldap_find_request_by_msgid: msgid 5, lr 0x7fd7f4118dd0 lr->lr_refcnt = 1
> 621f91e8.2a49549e 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 msgid 5 message type search-result
> 621f91e8.2a496015 0x7fd802e54700 ber_scanf fmt ({eAA) ber:
> 621f91e8.2a498953 0x7fd802e54700 read1msg: ld 0x7fd7f41100e0 0 new referrals
> 621f91e8.2a499c73 0x7fd802e54700 read1msg:  mark request completed, ld 0x7fd7f41100e0 msgid 5
> 621f91e8.2a49dbca 0x7fd802e54700 request done: ld 0x7fd7f41100e0 msgid 5
> 621f91e8.2a49f4bb 0x7fd802e54700 res_errno: 0, res_error: <>, res_matched: <>
> 621f91e8.2a4a05ec 0x7fd802e54700 ldap_return_request: lrx 0x7fd7f4118dd0, lr 0x7fd7f4118dd0
> 621f91e8.2a4a182d 0x7fd802e54700 ldap_return_request: lrx->lr_msgid 5, lrx->lr_refcnt is now 0, lr is still present
> 621f91e8.2a4a298b 0x7fd802e54700 ldap_free_request (origid 5, msgid 5)
> 621f91e8.2a4a3d5c 0x7fd802e54700 ldap_free_request_int: lr 0x7fd7f4118dd0 msgid 5 removed
> 621f91e8.2a4a4f04 0x7fd802e54700 ldap_do_free_request: asked to free lr 0x7fd7f4118dd0 msgid 5 refcnt 0
> 621f91e8.2a4a62e9 0x7fd802e54700 ldap_parse_result
> 621f91e8.2a4a6fd6 0x7fd802e54700 ber_scanf fmt ({iAA) ber:
> 621f91e8.2a4a7d53 0x7fd802e54700 ber_scanf fmt (}) ber:
> 621f91e8.2a4a886f 0x7fd802e54700 ldap_msgfree
> 621f91e8.2a4a97ed 0x7fd802e54700 send_ldap_result: conn=1001 op=1 p=3
> 621f91e8.2a4ac858 0x7fd802e54700 SASL [conn=1001] Failure: no secret in database
> 621f91e8.2a4b7daf 0x7fd802e54700 send_ldap_result: conn=1001 op=1 p=3
> 621f91e8.2a4ba2be 0x7fd802e54700 send_ldap_response: msgid=2 tag=97 err=49
> 621f91e8.2a4bc326 0x7fd802e54700 ber_flush2: 62 bytes to sd 9
> 621f91e8.2a4d96b5 0x7fd802e54700 <== slap_sasl_bind: rc=49
> 621f91e8.2a5736e7 0x7fd802e54700 connection_get(9): got connid=1001
> 621f91e8.2a575bcf 0x7fd802e54700 connection_read(9): checking for input on id=1001
> 621f91e8.2a5768b2 0x7fd802e54700 ber_get_next
> 621f91e8.2a57874f 0x7fd802e54700 ber_get_next: tag 0x30 len 5 contents:
> 621f91e8.2a5796d1 0x7fd802e54700 op tag 0x42, time 1646236136
> 621f91e8.2a57a77e 0x7fd802e54700 ber_get_next
> 621f91e8.2a5802c8 0x7fd802e54700 ber_get_next on fd 9 failed errno=0 (Success)
> 621f91e8.2a58367a 0x7fd802e54700 conn=1001 op=2 do_unbind
> 621f91e8.2a5881b7 0x7fd802e54700 connection_close: conn=1001 sd=9
> 621f91e8.2a588fef 0x7fd802e54700 =>ldap_back_conn_destroy: fetching conn 1001
> ^C621f91ea.1f6a360b 0x7fd803655700 daemon: shutdown requested and initiated.
> 621f91ea.1f6d18b1 0x7fd803655700 slapd shutdown: waiting for 0 operations/tasks to finish
> 621f91ea.1f73b8c6 0x7fd807671840 slapd shutdown: initiated
> 621f91ea.1f765b39 0x7fd807671840 slapd destroy: freeing system resources.
> 621f91ea.1f770206 0x7fd807671840 ldap_free_connection 1 1
> 621f91ea.1f7732d9 0x7fd807671840 ldap_send_unbind
> 621f91ea.1f77fcc1 0x7fd807671840 ber_flush2: 7 bytes to sd 10
> 621f91ea.1f7ba879 0x7fd807671840 ldap_free_connection: actually freed
> 621f91ea.1f7e833c 0x7fd807671840 slapd stopped.
> 
> The error from ldapsearch is:
> ldap_sasl_interactive_bind: Invalid credentials (49)
>         additional info: SASL(-13): user not found: no secret in databas
> 
> Is Cyrus NTLM looking for a secret in the backendldap to check the password against?  Or does it not know how to validate the credentials against AD? (/etc/krb5.conf is there and I can generate a TGT using kinit).  The OpenLDAP team said I need to reach out to the Cyrus project.
> 
> Thanks
> Marc

-- 
Simo Sorce
RHEL Crypto Team
Red Hat, Inc





------------------------------------------
Cyrus: SASL
Permalink: https://cyrus.topicbox.com/groups/sasl/Tac2134087a4e755f-M00ddf2965edf1db4b4f92732
Delivery options: https://cyrus.topicbox.com/groups/sasl/subscription
[Index of Archives]     [Info Cyrus]     [Squirrel Mail]     [Linux Media]     [Yosemite News]     [gtk]     [KDE]     [Gimp on Windows]     [Steve's Art]

  Powered by Linux